Before we can start ProFTPD, we need to make some OS X specific adjustments. Go ahead and open up the "ProFTPD Server" module under the "Servers" section. Select the "Edit Config Files" option. Look for the line that has the comment "Set the user and group under which the server will run." and comment out the next two lines so it looks like this:

# Set the user and group under which the server will run.
#User nobody
#Group nogroup
Click the "Save" button to return to the main menu. By now you should have a functional FTP server. However, thier are a couple of "tweaks" I like to do to make things work a little better. Lets start by removing the login delay.

Click on "Networking Options" in the ProFTPD module's main menu.
Change the "Do reverse DNS lookups of client" option to "No".
Change the "Lookup remote ident username" option to "No".
PASV port range: 60000 - 65535
Click "Save" to save and return to the main menu.

Lets allow the use of "CHMOD":
In the main menu, under "Virtual Servers" click "Default server".
Under "Per-directory and Per-command options" click "Commands SITE_CHMOD".
Click "Access Control".
Change the "Access Control Policy" option to "Allow all clients".
Click "SITE_CHMOD".
set FTP commands to All (or just what you like)

Click "Save" to save. Then click "return to main menu".

Limit Users to Home Directory:
Click on "Files and Directoriess" in the main menu.
Change the "Limit users to directories" option to "Home Directory".
Click "Save" to save and return to the main menu".

To avoid hack attacks, change the port number of proftp.
I changed it from port 21 to XXXX (pick your own number)
I also disabled anonymous ftp.

Download config file.....

-----> proftp settings file bijsluiten
Starting ProFTPD Automaticly on Boot
You probably want ProFTPD to start automaticly on boot instead of having to start it up manually each time. To setup an OS X startup item, just use Webmin.

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

Upload and Download:
Limit uploads and downloads to home directory? yes

======== Virtualmin -> System Settings -> Features and Plugins ==========
Select all except "Spam filtering" and "virus filtering" We use our own (remember)

======== Virtualmin -> System Settings -> Server Templates ==========
mkdir /etc/skel
I moved my own under construction html files to it.
The moment a new accounts has been created the under construction page is shown by default.

Full path to sarg executable: /usr/local/bin/sarg
Full path to SARG configuration file: /usr/local/etc/sarg.conf

======== Apple OSX settings ========
chmod 777 /Library/Logs

======== Web server ========

There are 2 ways to setup apache. I choose to use the default settings of apache to work well with webmin.

Specific setup for use with server.app is easy accomplish.
Both instruction will be posted on a later stage.

======== Mail server ========

A complete solution will be provided. Stay tuned.
(Below is the raw version, for those who requested.)

======== Dovecot IMAP/POP3 Server ========
We will configure the mail our selves, but to get all config files created
please launge "Admin Server" add mail and start the mail server. This will generate all files we need. (stop the mail server when generation is done)

======== Postfix Mail Server ========
The message "group or other writable" means that another user (not the owner) is able to write. You can fix it with chmod. Example to remove group write permissions

15 Comments

.(JavaScript must be enabled to view this email address)
January 20, 2012 2:56pm

Wow great, thank you. I spent almost a week installing Lion server on my new mac mini. Failed so many times. Services didn't run properly etc... At the end I found out it was BT fault. Their router is rubbish so I swapped it with Airport Extreme and it is working fine since. I have one silly question, do I need to set Dns when all my dns entries are with company where I registered domain?
Thanks

.(JavaScript must be enabled to view this email address)
January 20, 2012 3:12pm

@Filip,
Thanks. Depends, if you like to run your own mail server, multiple websites etc you would need to enable DNS on your MacMini Server.
But you only need 1 static IP to get all running. (DNS e.a.)

.(JavaScript must be enabled to view this email address)
April 05, 2012 1:39am

Fantastic work - was great to use, and works well.
Was wondering if you can post your fix for webmin to work with Lion's apache, at the moment no ghosts show
Will be highly appreciated.

.(JavaScript must be enabled to view this email address)
April 05, 2012 8:59am

@Eran,
Thanks,
I just send you an email on how to get your request working.

I have read a few excellent stuff here. Certainly value bookmarking for revisiting.
I wonder how much attempt you set to make the sort of great informative site.

.(JavaScript must be enabled to view this email address)
March 01, 2013 3:41am

Hi,
is your lion tutorial here compatible with mountain lion server? i got a new mac mini and cannot change to lion.
groetjes from germany
carsten

.(JavaScript must be enabled to view this email address)
March 04, 2013 1:10pm

Hello carsten,
Yes this tutorial is compatible. (paths, locations will be the same. Only some version numbers could be different (newer) but that's not a problem...)

.(JavaScript must be enabled to view this email address)
March 04, 2013 2:27pm

Hi Martijn,
i stuck at the beginning with the Server-Admin Screen where i have to disable "Dedicate system resources to server services".
What should i do?
BTW. What does this button do?
Groetjes
Carsten

.(JavaScript must be enabled to view this email address)
March 07, 2013 10:15am

Hello carsten,
Sorry for the late response. (blog is getting some spam so I need to check every entry before approving)
Apple reserves memory and cpu for their own tasks. (like account manager, wiki a.o. apps from apple)
But this makes other web related tasks and the server overall slower.
By disabling you are in charge, what results in faster websites, mail and others...
If you have any other question, please email me.
Kind regards,
Martijn